Add more options to session_sharing.match (#6566)

Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>

Author: shinrich

doc/admin-guide/files/records.config.en.rst

@@ -929,32 +929,29 @@ mptcp
    :overridable:
 
    Enable and set the ability to re-use server connections across client
-   connections. The valid values are:
-
-   ======== ===================================================================
-   Value    Description
-   ======== ===================================================================
-   ``none`` Do not match and do not re-use server sessions. If using this in
-            :ref:`ts-overridable-config` (like the :ref:`admin-plugins-conf-remap`),
-            use the integer ``0`` instead.
-   ``both`` Re-use server sessions, if *both* the IP address and fully qualified
-            domain name match. If using this in :ref:`ts-overridable-config` (like
-            the :ref:`admin-plugins-conf-remap`), use the integer ``1`` instead.
-   ``ip``   Re-use server sessions, checking only that the IP address and port
-            of the origin server matches. If using this in
-            :ref:`ts-overridable-config` (like the :ref:`admin-plugins-conf-remap`),
-            use the integer ``2`` instead.
-   ``host`` Re-use server sessions, checking only that the fully qualified
-            domain name matches. If using this in :ref:`ts-overridable-config`
-            (like the :ref:`admin-plugins-conf-remap`), use the integer ``3`` instead.
-   ======== ===================================================================
-
-   It is strongly recommended to use either ``none`` or ``both`` for this value
-   unless you have a specific need for the other settings. The most common
-   reason is virtual hosts that share an IP address in which case performance
-   can be enhanced if those sessions can be re-used. However, not all web
-   servers support requests for different virtual hosts on the same connection
-   so use with caution.
+   connections. Multiple values can be specified when separated by commas with no white spaces. Valid values are:
+
+   ============= ===================================================================
+   Value         Description
+   ============= ===================================================================
+   ``none``      Do not match and do not re-use server sessions.
+   ``ip``        Re-use server sessions, checking only that the IP address and port
+                 of the origin server matches.
+   ``host``      Re-use server sessions, checking that the fully qualified
+                 domain name matches. In addition, if the session uses TLS, it also
+                 checks that the current transaction's host header value matchs the session's SNI.
+   ``both``      Equivalent to ``host,ip``.
+   ``hostonly``  Check that the fully qualified domain name matches.
+   ``sni``       Check that the SNI of the session matches the SNI that would be used to
+                 create a new session.  Only applicable for TLS sessions.
+   ``cert``      Check that the certificate file name used for the server session matches the
+                 certificate file name that would be used for the new server session.  Only
+                 applicable for TLS sessions.
+   ============= ===================================================================
+
+   The setting must contain at least one of ``ip``, ``host``, ``hostonly`` or ``both``
+   for session reuse to operate.  The other values may be used for greater control
+   with TLS sessoin reuse.
 
 .. note::
 

doc/developer-guide/api/types/TSServerSessionSharingMatchType.en.rst

@@ -599,22 +599,6 @@ typedef enum {
 
 #ifndef _HTTP_PROXY_API_ENUMS_H_
 #define _HTTP_PROXY_API_ENUMS_H_
-/// Server session sharing values - match
-/// Must be identical to definition in HttpProxyAPIEnums.h
-typedef enum {
-  TS_SERVER_SESSION_SHARING_MATCH_NONE,
-  TS_SERVER_SESSION_SHARING_MATCH_BOTH,
-  TS_SERVER_SESSION_SHARING_MATCH_IP,
-  TS_SERVER_SESSION_SHARING_MATCH_HOST
-} TSServerSessionSharingMatchType;
-
-/// Server session sharing values - pool
-/// Must be identical to definition in HttpProxyAPIEnums.h
-typedef enum {
-  TS_SERVER_SESSION_SHARING_POOL_GLOBAL,
-  TS_SERVER_SESSION_SHARING_POOL_THREAD,
-} TSServerSessionSharingPoolType;
-
 /// Values for per server outbound connection tracking group definition.
 /// See proxy.config.http.per_server.match
 typedef enum {

doc/developer-guide/api/types/TSServerSessionSharingPoolType.en.rst

@@ -586,7 +586,7 @@ class HTTPHdr : public MIMEHdr
       @note The results are cached so this is fast after the first call.
       @return A pointer to the host name.
   */
-  const char *host_get(int *length = nullptr);
+  const char *host_get(int *length = nullptr) const;
 
   /** Get the target port.
       If the target port is not found then it is adjusted to the
@@ -857,7 +857,7 @@ HTTPHdr::_test_and_fill_target_cache() const
   -------------------------------------------------------------------------*/
 
 inline const char *
-HTTPHdr::host_get(int *length)
+HTTPHdr::host_get(int *length) const
 {
   this->_test_and_fill_target_cache();
   if (m_target_in_url) {

include/ts/apidefs.h.in

@@ -180,7 +180,7 @@ Http1ServerSession::release()
   server_vc->control_flags.set_flags(0);
 
   // Private sessions are never released back to the shared pool
-  if (private_session || TS_SERVER_SESSION_SHARING_MATCH_NONE == sharing_match) {
+  if (private_session || sharing_match == 0) {
     this->do_io_close();
     return;
   }

proxy/hdrs/HTTP.h

@@ -111,7 +111,7 @@ class Http1ServerSession : public VConnection
   bool private_session = false;
 
   // Copy of the owning SM's server session sharing settings
-  TSServerSessionSharingMatchType sharing_match = TS_SERVER_SESSION_SHARING_MATCH_BOTH;
+  TSServerSessionSharingMatchMask sharing_match = TS_SERVER_SESSION_SHARING_MATCH_MASK_NONE;
   TSServerSessionSharingPoolType sharing_pool   = TS_SERVER_SESSION_SHARING_POOL_GLOBAL;
 
   /// Hash map descriptor class for IP map.

proxy/http/Http1ServerSession.cc

@@ -76,11 +76,12 @@ template <typename T> struct ConfigEnumPair {
 /// If found @a value is set to the corresponding value in @a list.
 template <typename T, unsigned N>
 static bool
-http_config_enum_search(const char *key, const ConfigEnumPair<T> (&list)[N], MgmtByte &value)
+http_config_enum_search(std::string_view key, const ConfigEnumPair<T> (&list)[N], MgmtByte &value)
 {
+  Debug("http_config", "enum element %.*s", static_cast<int>(key.size()), key.data());
   // We don't expect any of these lists to be more than 10 long, so a linear search is the best choice.
   for (unsigned i = 0; i < N; ++i) {
-    if (0 == strcasecmp(list[i]._key, key)) {
+    if (key.compare(list[i]._key) == 0) {
       value = list[i]._value;
       return true;
     }
@@ -110,10 +111,56 @@ http_config_enum_read(const char *name, const ConfigEnumPair<T> (&list)[N], Mgmt
 ////////////////////////////////////////////////////////////////
 /// Session sharing match types.
 static const ConfigEnumPair<TSServerSessionSharingMatchType> SessionSharingMatchStrings[] = {
-  {TS_SERVER_SESSION_SHARING_MATCH_NONE, "none"},
-  {TS_SERVER_SESSION_SHARING_MATCH_IP, "ip"},
-  {TS_SERVER_SESSION_SHARING_MATCH_HOST, "host"},
-  {TS_SERVER_SESSION_SHARING_MATCH_BOTH, "both"}};
+  {TS_SERVER_SESSION_SHARING_MATCH_NONE, "none"}, {TS_SERVER_SESSION_SHARING_MATCH_IP, "ip"},
+  {TS_SERVER_SESSION_SHARING_MATCH_HOST, "host"}, {TS_SERVER_SESSION_SHARING_MATCH_HOST, "hostsni"},
+  {TS_SERVER_SESSION_SHARING_MATCH_BOTH, "both"}, {TS_SERVER_SESSION_SHARING_MATCH_HOSTONLY, "hostonly"},
+  {TS_SERVER_SESSION_SHARING_MATCH_SNI, "sni"},   {TS_SERVER_SESSION_SHARING_MATCH_CERT, "cert"}};
+
+bool
+HttpConfig::load_server_session_sharing_match(const char *key, MgmtByte &mask)
+{
+  MgmtByte value;
+  mask = 0;
+  // Parse through and build up mask
+  std::string_view key_list(key);
+  size_t start  = 0;
+  size_t offset = 0;
+  Debug("http_config", "enum mask value %s", key);
+  do {
+    offset = key_list.find(',', start);
+    if (offset == std::string_view::npos) {
+      std::string_view one_key = key_list.substr(start);
+      if (!http_config_enum_search(one_key, SessionSharingMatchStrings, value)) {
+        return false;
+      }
+    } else {
+      std::string_view one_key = key_list.substr(start, offset - start);
+      if (!http_config_enum_search(one_key, SessionSharingMatchStrings, value)) {
+        return false;
+      }
+      start = offset + 1;
+    }
+    if (value < TS_SERVER_SESSION_SHARING_MATCH_NONE) {
+      mask |= (1 << value);
+    } else if (value == TS_SERVER_SESSION_SHARING_MATCH_BOTH) {
+      mask |= TS_SERVER_SESSION_SHARING_MATCH_MASK_IP | TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTONLY |
+              TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTSNISYNC;
+    } else if (value == TS_SERVER_SESSION_SHARING_MATCH_HOST) {
+      mask |= TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTONLY | TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTSNISYNC;
+    }
+  } while (offset != std::string_view::npos);
+  return true;
+}
+
+static bool
+http_config_enum_mask_read(const char *name, MgmtByte &value)
+{
+  char key[512]; // it's just one key - painful UI if keys are longer than this
+  if (REC_ERR_OKAY == RecGetRecordString(name, key, sizeof(key))) {
+    return HttpConfig::load_server_session_sharing_match(key, value);
+  }
+  return false;
+}
 
 static const ConfigEnumPair<TSServerSessionSharingPoolType> SessionSharingPoolStrings[] = {
   {TS_SERVER_SESSION_SHARING_POOL_GLOBAL, "global"},
@@ -200,7 +247,7 @@ http_server_session_sharing_cb(const char *name, RecDataT dtype, RecData data, v
     MgmtByte &match = c->oride.server_session_sharing_match;
     if (RECD_INT == dtype) {
       match = static_cast<TSServerSessionSharingMatchType>(data.rec_int);
-    } else if (RECD_STRING == dtype && http_config_enum_search(data.rec_string, SessionSharingMatchStrings, match)) {
+    } else if (RECD_STRING == dtype && HttpConfig::load_server_session_sharing_match(data.rec_string, match)) {
       // empty
     } else {
       valid_p = false;
@@ -1059,8 +1106,7 @@ HttpConfig::startup()
 
   // [amc] This is a bit of a mess, need to figure out to make this cleaner.
   RecRegisterConfigUpdateCb("proxy.config.http.server_session_sharing.match", &http_server_session_sharing_cb, &c);
-  http_config_enum_read("proxy.config.http.server_session_sharing.match", SessionSharingMatchStrings,
-                        c.oride.server_session_sharing_match);
+  http_config_enum_mask_read("proxy.config.http.server_session_sharing.match", c.oride.server_session_sharing_match);
   http_config_enum_read("proxy.config.http.server_session_sharing.pool", SessionSharingPoolStrings, c.server_session_sharing_pool);
 
   RecRegisterConfigUpdateCb("proxy.config.http.insert_forwarded", &http_insert_forwarded_cb, &c);

proxy/http/Http1ServerSession.h

@@ -465,7 +465,7 @@ struct OverridableHttpConfigParams {
   MgmtByte keep_alive_post_out    = 1; // share server sessions for post
 
   MgmtInt server_min_keep_alive_conns         = 0;
-  MgmtByte server_session_sharing_match       = TS_SERVER_SESSION_SHARING_MATCH_BOTH;
+  MgmtByte server_session_sharing_match       = 0;
   MgmtByte auth_server_session_private        = 1;
   MgmtByte fwd_proxy_auth_to_parent           = 0;
   MgmtByte uncacheable_requests_bypass_parent = 1;
@@ -821,6 +821,8 @@ class HttpConfig
   inkcoreapi static HttpConfigParams *acquire();
   inkcoreapi static void release(HttpConfigParams *params);
 
+  static bool load_server_session_sharing_match(const char *key, MgmtByte &mask);
+
   // parse ssl ports configuration string
   static HttpConfigPortRange *parse_ports_list(char *ports_str);
 

proxy/http/HttpConfig.cc

@@ -29,24 +29,37 @@
 
 #pragma once
 
-// This is use to signal apidefs.h to not define these again.
-#ifndef _HTTP_PROXY_API_ENUMS_H_
-#define _HTTP_PROXY_API_ENUMS_H_
-
 /// Server session sharing values - match
 typedef enum {
+  TS_SERVER_SESSION_SHARING_MATCH_IP,
+  TS_SERVER_SESSION_SHARING_MATCH_HOSTONLY,
+  TS_SERVER_SESSION_SHARING_MATCH_HOSTSNISYNC,
+  TS_SERVER_SESSION_SHARING_MATCH_SNI,
+  TS_SERVER_SESSION_SHARING_MATCH_CERT,
   TS_SERVER_SESSION_SHARING_MATCH_NONE,
   TS_SERVER_SESSION_SHARING_MATCH_BOTH,
-  TS_SERVER_SESSION_SHARING_MATCH_IP,
-  TS_SERVER_SESSION_SHARING_MATCH_HOST
+  TS_SERVER_SESSION_SHARING_MATCH_HOST,
 } TSServerSessionSharingMatchType;
 
+typedef enum {
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_NONE        = 0,
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_IP          = 0x1,
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTONLY    = 0x2,
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_HOSTSNISYNC = 0x4,
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_SNI         = 0x8,
+  TS_SERVER_SESSION_SHARING_MATCH_MASK_CERT        = 0x10
+} TSServerSessionSharingMatchMask;
+
 /// Server session sharing values - pool
 typedef enum {
   TS_SERVER_SESSION_SHARING_POOL_GLOBAL,
   TS_SERVER_SESSION_SHARING_POOL_THREAD,
 } TSServerSessionSharingPoolType;
 
+// This is use to signal apidefs.h to not define these again.
+#ifndef _HTTP_PROXY_API_ENUMS_H_
+#define _HTTP_PROXY_API_ENUMS_H_
+
 /// Values for per server outbound connection tracking group definition.
 /// See proxy.config.http.per_server.match
 typedef enum {
@@ -55,4 +68,5 @@ typedef enum {
   TS_SERVER_OUTBOUND_MATCH_HOST,
   TS_SERVER_OUTBOUND_MATCH_BOTH
 } TSOutboundConnectionMatchType;
+
 #endif